I've got a "ForceChangePassword" page for after "ForgotPassword" and it is randomly throwing two length requirements on the "NewPassword" field. The problem is, I never added a length requirement of 7 and have no idea where it is coming from or how to change it.

Errors from ModelState

The New password must be at least 6 characters long.
The 'New password' field is an invalid password. Password must have 7 or more characters.

if (!ModelState.IsValid) { return View(model); } // Only line executed in the POST Action.

I set the length requirement to 6 on the ViewModel via Attribute (see below). I have no idea where the 7 requirement is coming from.

IdentityConfig.cs

manager.PasswordValidator = new PasswordValidator
{
    RequiredLength = 6,
    RequireNonLetterOrDigit = true,
    RequireDigit = true,
    RequireLowercase = true,
    RequireUppercase = true,
};

Model

[Required]
[StringLength(100, ErrorMessage = "The {0} must be at least {2} characters long.", MinimumLength = 6)]
[MembershipPassword(
    MinRequiredNonAlphanumericCharacters = 1,
    MinNonAlphanumericCharactersError = "Your password needs to contain at least one symbol (!, @, #, etc).",
    ErrorMessage = "Your password must be 6 characters long and contain at least one symbol (!, @, #, etc)."
)]
[DataType(DataType.Password)]
[Display(Name = "New password")]
public string NewPassword { get; set; }

View

<div class="form-group">
    @Html.LabelFor(m => m.NewPassword, new { @class = "col-md-2 control-label" })
    <div class="col-md-10">
        @Html.PasswordFor(m => m.NewPassword, new { @class = "form-control", @autocomplete = "off" })
    </div>
</div>

Culprit attribute:

data-val-password-min="7"

Question: Where are the possible locations to add password-length validation in an MVC 5 project using Identity 2.0? Could there be a default-requirement of some sort I'm just not setting?

Note: I'll add more code if necessary but I've posted all possibly relevant code I know of. Nothing else mentions passwords at all (to my knowledge, let me know if there are more locations).

Found it. The MembershipPassword attribute had a default of 7 length I guess. It was having double length requirement simply because that attribute has a length requirement and I had a StringLength attribute too. So it threw errors for both.

Fix:

[Required]
[MembershipPassword(
    MinRequiredNonAlphanumericCharacters = 1,
    MinNonAlphanumericCharactersError = "Your password needs to contain at least one symbol (!, @, #, etc).",
    ErrorMessage = "Your password must be 6 characters long and contain at least one symbol (!, @, #, etc).",
    MinRequiredPasswordLength = 6
)]
[DataType(DataType.Password)]
[Display(Name = "New password")]
public string NewPassword { get; set; }

(Set the MinRequiredPasswordLength and removed the StringLength attribute)

In App_Start\IdentityConfig.cs there's the following code:

// Configure validation logic for passwords
manager.PasswordValidator = new PasswordValidator
{
    RequiredLength = 6,
    RequireNonLetterOrDigit = true,
    RequireDigit = true,
    RequireLowercase = true,
    RequireUppercase = true,
};

That is what you need to change. [MembershipPassword] is from the older ASP.NET Membership authentication, which is totally different and separate from Identity.